Mary Ursula HerrmannMary Ursula Herrmann is a Network Security Analyst living in Juneau, AK. She has worked in Information Security for over 15 years, and obtained her CISSP in 2005.

I've read two articles recently that talk about real time monitoring and why it's important. Back in the late 1990s, vulnerability scanning was the “new kid on the block," but now, continuous monitoring is all the rage -- and with good reason.

Continuous monitoring can mean different things to different people. For some, it's a manual process that involves checking logs or sites several times a day. However, that type of continuous monitoring is, in itself, not very efficient. There are a number of products on the market now that will do that work for you, and send an alert if it encounters anomalous behavior.

In my article on reporting and SIEM, I talked about using a log management tool to aggregate all your logs and present the data in a meaningful way. If your SIEM does real-time reporting and alerting based on your log data, then that is one way to do real-time or continuous monitoring.

However, logs don't capture the entire picture. They can be tuned to detect pretty much everything that is going on with the hosts they're logging from, and some network events are of course also written to logs. Agent-based systems such as McAfee ePolicy Orchestrator also can give some insight as to what is happening on hosts. But for true continuous monitoring of not only your hosts but also your network, you need something that essentially will sniff traffic and deliver alerts and reports based on that data. There are various products that do this sort of “passive” discovery -- as opposed to “active” scheduled scans -- such as Sourcefire's Realtime Network Awareness and Tenable's Passive Vulnerability Scanner.

The thing to keep in mind is that when you add a tool like this to your arsenal, you're going to be drinking from a fire hose in terms of the amount of data with which you'll deal. You will need a SIEM that can really interpret this type of data and put it to work for you, rather than working against you. My suggestion, therefore, would be to do things in steps: First get all the tools in place to monitor your network --- realizing that you're not going to be benefiting from all that data at first --- and then find a SIEM that will be able to take in all of that data and interpret it for you in the most efficient manner.

All the information that you're able to glean from your network and its hosts may seem like too much information. But there's really no such thing. You really need all this information to keep on top of vulnerabilities; you just need to be able to look at it in such a way that what's most important will be obvious so that you can take the needed steps to make your data more secure.